Browse all 5 CVE security advisories affecting RocketChat. AI-powered Chinese analysis, POCs, and references for each vulnerability.
RocketChat serves as an open-source team communication platform, offering real-time messaging, video conferencing, and file sharing. Historically, it has faced vulnerabilities including remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation and access control flaws. The platform's self-hosted nature provides organizations with control over their data but requires diligent security maintenance. While no major public security incidents have been widely documented, the presence of five CVEs indicates ongoing security considerations. Users must implement regular updates and hardening measures to mitigate risks, as the platform's extensive feature set and integrations expand its potential attack surface.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-30833 | Rocket.Chat: NoSQL injection in the EE ddp-streamer-service — Rocket.ChatCWE-943 | 9.8 | - | 2026-03-06 |
| CVE-2026-30831 | Rocket.Chat: 2FA bypass and login of deactivated users via EE ddp-streamer — Rocket.ChatCWE-287 | 9.8 | - | 2026-03-06 |
| CVE-2026-28514 | Rocket.Chat: Users can login with any password via the EE ddp-streamer-service — Rocket.ChatCWE-287 | 9.8 | - | 2026-03-06 |
| CVE-2026-23477 | Rocket.Chat Unauthorized Access to OAuth App Details — Rocket.ChatCWE-269 | 7.7 | High | 2026-01-14 |
| CVE-2021-32832 | ReDOS in Rocket.Chat — Rocket.ChatCWE-400 | 4.3 | Medium | 2021-08-30 |
This page lists every published CVE security advisory associated with RocketChat. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.